Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Sigma rule (View on GitHub)
1title: Suspicious Binary Writes Via AnyDesk
2id: 2d367498-5112-4ae5-a06a-96e7bc33a211
3status: test
4description: |
5 Detects AnyDesk writing binary files to disk other than "gcapi.dll".
6 According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
7 which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
8references:
9 - https://redcanary.com/blog/misbehaving-rats/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/09/28
12tags:
13 - attack.command_and_control
14 - attack.t1219
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 Image|endswith: '\anydesk.exe'
21 TargetFilename|endswith:
22 - '.dll'
23 - '.exe'
24 filter_dlls:
25 TargetFilename|endswith: '\gcapi.dll'
26 condition: selection and not 1 of filter_*
27falsepositives:
28 - Unknown
29level: high
References
-
Ransomware operators frequently abuse RATs like NetSupport, Remote Utilities, ScreenConnect, and Anydesk. Here's what to look out for.
Read More
Related rules
- Inveigh Execution Artefacts
- Mesh Agent Service Installation
- Suspicious TSCON Start as SYSTEM
- TacticalRMM Service Installation
- Use of UltraVNC Remote Access Software